Bug#894667: beep bug
How similar is beep to beep2? I use beep2 on Smoothwall Express. It is not installed suid root. Rather, I changed beep2's default output device to /dev/tty13 (would be just as easy to use tty63) and changed the perms on that TTY to 622. Without suid root, beep2 can only open files for input or output for which its user has access; with similar treatment, beep should be almost properly limited. Neal
Bug#894667: beep bug
Hello. After analysis of the diff it in unclear what exactly the race condition bug is and how it would constitute a privileged escalation. Please could somebody provide an explanation of what the race condition is, and how it is a security issue rather than just being a regular bug. so we can understand why the patch fixes it. It seems that open/closing the console_device (set with -e) was done repeatedly in the -n case. It's possible that the race in question would be triggered if a SIGINT or SIGTERM was sent at the right time (which time)? possibly causing a double free. As the beep program just performs ioctl or writes a very simple struct to an fd it does not seem there is enough attacker control to actually do any sort of code execution with beep. So this may not really be a security issue, just a minor improvement in the code. I welcome being corrected though. (Note: we have looked at the satire website about the bug https://holeybeep.ninja and it does not provide any technical details of interest) Cheers!
